firedog1024
commented
5 years ago Correct, using the group key would allow you to generate a key for the device with just the device id. The reason we don't advise doing this is that now you are putting the group key on all your devices along with the scope id. In the event one device becomes compromised you effectively compromise all your devices in your application. To mitigate the issue you would need to change the group key and update all the devices with the new group key. By using either the device key or the device using an x.509 cert limits a successful attack to a single device.
Should be pretty straightforward. If groupKey is provided instead of a deviceKey, an HMAC signature should be computed for the 'deviceId' using said group key. Since I have it working on my fork (not committed yet) I will eventually submit a patch as part of a larger pull request, I guess :)